Prevention of security threats and incidents described below is wiser and cheaper than forensic investigations and mitigation of the consequences of a cyber attack. Use our services to find and mitigate your security vulnerabilities before the security threat agents find them.
The Government Communications Security Bureau is expanding its Malware-Free Networks cyber defence initiative. “We live in an increasingly global and connected world in which reckless and malicious cyber activity poses a threat to our digital information and our economic wellbeing,” the Minister responsible for GCSB, Andrew Little, said.
Posted on 28 May 2018 2:39 am on www.reseller.co.nz
Spear phishing is a targeted form of email attack used to steal sensitive information through enticement, impersonation, or access-control bypassing techniques. In a normal phishing attack, the attacker sends the emails randomly to convince the victims to open an email containing the attachments....
Posted on 27 May 2018 9:39 pm on resources.infosecinstitute.com
Why would a security professional need anonymity? Anonymity and the need for privacy are often associated with suspicious or even criminal activity. For instance, in the Cyber Security sector, one of the major challenges around breach detection and attribution is the fact that most attackers use....
Posted on 27 May 2018 6:30 pm on resources.infosecinstitute.com
Apple said it received as many as 16,249 national security requests affecting up to 8,249 accounts during the second half of 2017. The number of requests rose 20 percent compared with the first half of 2017, when Apple received 13,499 such requests. But the most recent figures are more than....
Posted on 27 May 2018 3:39 pm on www.reuters.com
A subreddit dedicated to hacking and hacking culture. What we are about: quality and constructive discussion about hacking and hacking culture. We are not here to teach you the basics. Please visit /r/HowToHack for posting beginner links and tutorials. Hacking related politics welcome. Penalties: Bans are handed out at moderator discretion.
Posted on 27 May 2018 1:37 pm on www.reddit.com
Coca-Cola discovered a security breach in September when law enforcement officials notified it that a former employee at a Coca-Cola subsidiary was found in possession of an external hard drive containing worker data. Coca-Cola announced a data breach after a former employee was found in possession of worker data on a personal hard drive.
Posted on 27 May 2018 12:33 pm on securityaffairs.co
May 26, 2018. FBI warns Russians hacked hundreds of thousands of routers Reuters. May 25, 2018. The FBI warned on Friday that Russian computer hackers had compromised hundreds of thousands of home and office routers and could collect user information or shut down network traffic. The U.S.
Posted on 26 May 2018 10:39 am on www.matthewaid.com
#1215712: UK Warns That Aggressive Cyberattack Could Trigger Kinetic Response. UK Says it Doesn't Need to Demonstrate Attribution Before Engaging Cyber Retaliation The scene was set last week when Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) spoke at the Royal United Services Institute (RUSI).
Posted on 26 May 2018 10:24 am on brica.de
By AFP 1 hour ago in World Colombia will next week formally become NATO's first Latin American "global partner," President Juan Manuel Santos announced Friday. Santos, who won the 2016 Nobel Peace Prize for his efforts to end a half-century of armed conflict with the former rebel movement FARC,....
Posted on 26 May 2018 7:57 am on www.digitaljournal.com
London police have seized half a million pounds ($667,000) worth of bitcoin from a prolific computer hacker in a case described as the first of its kind for the 188-year-old department. Cybercrime detectives seized the bitcoin from Grant West, 26, who was sentenced to 10 years and 8 months in prison....
Posted on 26 May 2018 3:48 am on english.alarabiya.net
If you’re a BMW owner, prepare to patch! Chinese researchers have affecting many models. found 14 security vulnerabilities The ranges affected (some as far back as 2012) are the BMW i Series, X Series, 3 Series, 5 Series and 7 Series, with a total of seven rated serious enough to be assigned CVE numbers.
Posted on 26 May 2018 3:48 am on nakedsecurity.sophos.com
Due to a bug in T-Mobile’s website back in April, customers’ account information was left accessible for anyone to see, ZDnet reports . While the security flaw has since been fixed, personal information could have potentially been misused by anyone who knew where to look. The subdomain — promotool.
Posted on 25 May 2018 9:32 pm on www.digitaltrends.com
Original release date: May 25, 2018 Systems Affected Small office/home office (SOHO) routers Networked devices Network-attached storage (NAS) devices Overview Cybersecurity researchers have identified that foreign cyber actors have compromised hundreds of thousands of home and office routers and other networked devices worldwide   . The actors used VPNFilter malware to target small office/home office (SOHO) routers. VPNFilter malware uses modular functionality to collect intelligence, exploit local area network (LAN) devices, and block actor-configurable network traffic. Specific characteristics of VPNFilter have only been observed in the BlackEnergy malware, specifically BlackEnergy versions 2 and 3. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) recommend that owners of SOHO routers power cycle (reboot) SOHO routers and networked devices to temporarily disrupt the malware. DHS and FBI encourage SOHO router owners to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field . CyWatch can be contacted by phone at 855-292-3937 or by email at CyWatch@fbi.gov. Each submitted report should include as much informaiton as possible, specifically the date, time, location, type of activity, number of people, the type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Description The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilter malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices. The initial exploit vector for this malware is currently unknown. The malware uses a modular functionality on SOHO routers to collect intelligence, exploit LAN devices, and block actor-configurable network traffic. The malware can render a device inoperable, and has destructive functionality across routers, network-attached storage devices, and central processing unit (CPU) architectures running embedded Linux. The command and control mechanism implemented by the malware uses a combination of secure sockets layer (SSL) with client-side certificates for authentication and TOR protocols, complicating network traffic detection and analysis. Impact Negative consequences of VPNFilter malware infection include: temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. Solution DHS and FBI recommend that all SOHO router owners power cycle (reboot) their devices to temporarily disrupt the malware. Network device management interfaces—such as Telnet, SSH, Winbox, and HTTP—should be turned off for wide-area network (WAN) interfaces, and, when enabled, secured with strong passwords and encryption. Network devices should be upgraded to the latest available versions of firmware, which often contain patches for vulnerabilities. Rebooting affected devices will cause non-persistent portions of the malware to be removed from the system. Network defenders should ensure that first-stage malware is removed from the devices, and appropriate network-level blocking is in place prior to rebooting affected devices. This will ensure that second stage malware is not downloaded again after reboot. While the paths at each stage of the malware can vary across device platforms, processes running with the name "vpnfilter" are almost certainly instances of the second stage malware. Terminating these processes and removing associated processes and persistent files that execute the second stage malware would likely remove this malware from targeted devices. References  New VPNFilter malware targets at least 500K networking devices worldwide  Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Revision History May 25, 2018: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.
Posted on 25 May 2018 9:22 pm on www.us-cert.gov
Data gathered by Lastline at RSA Conference 2018 reveals security professionals’ perspectives on the future of cryptocurrencies and cryptomining, response to ransomware attacks, and security impact of IoT devices. “Security teams are fighting a multi-front battle to keep their organizations safe from cybercriminals,” commented Dr.
Posted on 25 May 2018 7:51 pm on threatbrief.com
The FBI warned on Friday that foreign cybercriminals had compromised "hundreds of thousands" of home and small-office router devices around the world which direct traffic on the internet by forwarding data packets between computer networks. In a public service announcement, the FBI has discovered....
Posted on 25 May 2018 7:44 pm on www.voanews.com
Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to....
Posted on 25 May 2018 7:34 pm on www.csoonline.com
The latest variant of the venerable Mirai botnet malware combines approaches and brings new exploits to the world of IoT security challenges. It's hard to keep a bad bot down. That's just one of the lessons that comes with Wicked Mirai, the latest variation on the Mirai Internet of Things botnet software.
Posted on 25 May 2018 6:26 pm on www.darkreading.com
Microsoft has always been a strong proponent of Windows Defender, and for good reason. Earlier this year, the company's software prevented a "massive" coin mining attack . In fact, the Redmond giant also announced that Now, Microsoft has shared some statistics touting the importance of Windows Defender in the current state of cybersecurity.
Posted on 25 May 2018 5:27 pm on www.neowin.net
Amazon Echo Secretly Recorded Couple's Private Conversation, Then Sent It to Employee Without Permission. Some privacy experts are wondering what exactly is going on with Amazon's Alexa Echo smart device. You know, I've always thought there was something kind of creepy about the voice-activated Amazon Echo (a.
Posted on 25 May 2018 5:07 pm on www.inc.com
Now they talk about incident response teams and threat detectors. They buy expensive sensors that can detect malicious intruders bent on creating havoc. They field sales pitches from election vendors selling cyber-insurance. It may be a matter of time before elections workers have to pass a Level 2....
Posted on 25 May 2018 1:55 pm on www.tampabay.com
The founder and CEO of "My Nametags" Lars Andersen, originally from Norway, poses for photographs by a sheet label "weeding machine" at his business premises in London, Wednesday, May 23, 2018. Starting Friday, May 25, 2018, My Nametags and most other companies that collect or process the personal....
Posted on 25 May 2018 1:39 pm on phys.org
#1215594: 1 in 10 healthcare organizations paid a ransom within the last year. More than one in three healthcare organizations have suffered a cyberattack within the last year, while almost one in 10 have paid a ransom or extortion fee, according to Imperva.
Posted on 25 May 2018 1:05 pm on brica.de
HANOI (Reuters) - The United States has raised concerns with Vietnam about its proposed cybersecurity law, the U.S. Embassy said on Thursday, amid activists’ fears the new legislation will cause economic harm and crackdown on online dissent in the communist-ruled country. The concerns were conveyed by Deputy U.
Posted on 25 May 2018 11:38 am on www.reuters.com
According to data from job site, Indeed, there has been an upsurge in job postings for cyber security roles by 150% between January 2017 and March 2018, along with a corresponding increase of 129% in job searches for the same in the same period. Between January 2017 and March 2018, there has also....
Posted on 25 May 2018 10:48 am on www.cxotoday.com
Original release date: May 21, 2018 | Last revised: May 22, 2018 Systems Affected CPU hardware implementations Overview On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed . These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems. Description Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data. Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information. Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to Read arbitrary privileged data; and Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods. Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below: Variant 1: Bounds Check Bypass – CVE-2017-5753 Variant 2: Branch Target Injection – CVE-2017-5715 Variant 3: Rogue Data Cache Load – CVE-2017-5754 Variant 3a: Rogue System Register Read – CVE-2018-3640 Variant 4: Speculative Store Bypass – CVE-2018-3639 Impact Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems. Solution Mitigation NCCIC recommends users and administrators Refer to their hardware and software vendors for patches or microcode, Use a test environment to verify each patch before implementing, and Ensure that performance is monitored for critical applications and services. Consult with vendors and service providers to mitigate any degradation effects, if possible. Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable. The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available. Link to Vendor Information Date Added AMD May 21, 2018 ARM May 21, 2018 Intel May 22, 2018 Microsoft May 21, 2018 Redhat May 21, 2018 References Google Project Zero Blog Bounds Check Bypass – CVE-2017-5753 Branch Target Injection – CVE-2017-5715 Rogue Data Cache Load – CVE-2017-5754 Rogue System Register Read – CVE-2018-3640 Speculative Store Bypass – CVE-2018-3639 TA18-004A – Meltdown and Spectre Side-Channel Vulnerability Guidance Revision History May 21, 2018: Initial version May 22, 2018: Added information and link to Intel in table This product is provided subject to this Notification and this Privacy & Use policy.
Posted on 21 May 2018 11:54 pm on www.us-cert.gov
Original release date: April 16, 2018 | Last revised: April 20, 2018 Systems Affected Generic Routing Encapsulation (GRE) Enabled Devices Cisco Smart Install (SMI) Enabled Devices Simple Network Management Protocol (SNMP) Enabled Network Devices Overview Update: On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which include the configuration files of networked devices. NCCIC encourages organizations to use the detection and prevention guidelines outlined in this Alert to help defend against this activity. For instance, administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files. Original Post: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC). This TA provides information on the worldwide cyber exploitation of network infrastructure devices (e.g., router, switch, firewall, Network-based Intrusion Detection System (NIDS) devices) by Russian state-sponsored cyber actors. Targets are primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. This report contains technical details on the tactics, techniques, and procedures (TTPs) used by Russian state-sponsored cyber actors to compromise victims. Victims were identified through a coordinated series of actions between U.S. and international partners. This report builds on previous DHS reporting and advisories from the United Kingdom, Australia, and the European Union. [1-5] This report contains indicators of compromise (IOCs) and contextual information regarding observed behaviors on the networks of compromised victims. FBI has high confidence that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations. DHS, FBI, and NCSC urge readers to act on past alerts and advisories issued by the U.S. and U.K. Governments, allied governments, network device manufacturers, and private-sector security organizations. Elements from these alerts and advisories have been selected and disseminated in a wide variety of security news outlets and social media platforms. The current state of U.S. network devices—coupled with a Russian government campaign to exploit these devices—threatens the safety, security, and economic well-being of the United States. The purpose of this TA is to inform network device vendors, ISPs, public-sector organizations, private-sector corporations, and small office home office (SOHO) customers about the Russian government campaign, provide information to identify malicious activity, and reduce exposure to this activity. For a downloadable copy of the IOC package, see TA18-106A_TLP_WHITE.stix.xml . Description Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property theft that supports the Russian Federation’s national security and economic goals. Legacy Protocols and Poor Security Practice Russian cyber actors leverage a number of legacy or weak protocols and service ports associated with network administration activities. Cyber actors use these weaknesses to identify vulnerable devices; extract device configurations; map internal network architectures; harvest login credentials; masquerade as privileged users; modify device firmware, operating systems, configurations; and copy or redirect victim traffic through Russian cyber-actor-controlled infrastructure. Additionally, Russian cyber actors could potentially modify or deny traffic traversing through the router. Russian cyber actors do not need to leverage zero-day vulnerabilities or install malware to exploit these devices. Instead, cyber actors take advantage of the following vulnerabilities: devices with legacy unencrypted protocols or unauthenticated services, devices insufficiently hardened before installation, and devices no longer supported with security patches by manufacturers or vendors (end-of-life devices)...
Posted on 16 April 2018 8:25 pm on www.us-cert.gov
Original release date: March 27, 2018 | Last revised: March 28, 2018 Systems Affected Networked systems Overview According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad. On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity. Description In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow three to five bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols. An actor may target this specific protocol because federated authentication can help mask malicious traffic. Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise. Email applications are also targeted. In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization's email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages. Technical Details Traditional tactics, techniques, and procedures (TTPs) for conducting the password-spray attacks are as follows: Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla Indicators of a password spray attack include: A massive spike in attempted logons against the enterprise SSO portal or web-based application; Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours. Employee logons from IP addresses resolving to locations inconsistent with their normal locations. Typical Victim Environment The vast majority of known password spray victims share some of the following characteristics   : Use SSO or web-based applications with federated authentication method Lack multifactor authentication (MFA) Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices Allow email forwarding to be setup at the user level Limited logging setup creating difficulty during post-event investigations Impact A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include: Temporary or permanent loss of sensitive or proprietary information; Disruption to regular operations; Financial losses incurred to restore systems and files; and Potential harm to an organization’s reputation...
Posted on 28 March 2018 1:00 am on www.us-cert.gov
Original release date: March 15, 2018 | Last revised: March 16, 2018 Systems Affected Domain Controllers File Servers Email Servers Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks. DHS and FBI produced this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity. DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS). For a downloadable copy of IOC packages and associated files, see: TA18-074A_TLP_WHITE.csv TA18-074A_TLP_WHITE.stix.xml MIFR-10127623_TLP_WHITE.pdf MIFR-10127623_TLP_WHITE_stix.xml MIFR-10128327_TLP_WHITE.pdf MIFR-10128327_TLP_WHITE_stix.xml MIFR-10128336_TLP_WHITE.pdf MIFR-10128336_TLP_WHITE_stix.xml MIFR-10128830_TLP_WHITE.pdf MIFR-10128830_TLP_WHITE_stix.xml MIFR-10128883_TLP_WHITE.pdf MIFR-10128883_TLP_WHITE_stix.xml MIFR-10135300_TLP_WHITE.pdf MIFR-10135300_TLP_WHITE_stix.xml Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least March 2016, Russian government cyber actors—hereafter referred to as “threat actors”—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Analysis by DHS and FBI, resulted in the identification of distinct indicators and behaviors related to this activity. Of note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.  This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert. The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.” Technical Details The threat actors in this campaign employed a variety of TTPs, including spear-phishing emails (from compromised legitimate account), watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure. Using Cyber Kill Chain for Analysis DHS used the Lockheed-Martin Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of threat actors’ activities within this framework. Stage 1: Reconnaissance The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. DHS analysis identified the threat actors accessing publicly available information hosted by organization-monitored networks during the reconnaissance phase. Based on forensic analysis, DHS assesses the threat actors sought information on network and organizational design and control system capabilities within organizations. These tactics are commonly used to collect the information needed for targeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may appear to be innocuous, may contain operationally sensitive information...
Posted on 15 March 2018 3:40 pm on www.us-cert.gov
This updated alert is a follow-up to the updated alert titled ICS-ALERT-18-011-01 Meltdown and Spectre Vulnerabilities (Update F) that was published March 1, 2018, on the NCCIC/ICS-CERT website.
Posted on 11 January 2018 7:51 pm on ics-cert.us-cert.gov
Posted on 4 January 2018 8:47 pm on www.us-cert.gov
NCCIC is aware of a public report of an improper authentication vulnerability affecting WAGO PFC200, a Programmable Logic Controller (PLC) device. According to this report, the vulnerability is exploitable by sending a TCP payload on the bound port. This report was released after attempted coordination with WAGO. NCCIC has notified the affected vendor of the report and has asked the vendor to confirm the vulnerability and identify mitigations. NCCIC is issuing this alert to provide notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
Posted on 7 December 2017 11:11 pm on ics-cert.us-cert.gov
Original release date: November 14, 2017 | Last revised: November 22, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity. This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. For a downloadable copy of IOCs, see: IOCs ( .csv ) IOCs ( .stix ) NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see: MAR ( .pdf ) MAR IOCs ( .stix ) Description Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage: India (772 IPs) 25.4 percent Iran (373 IPs) 12.3 percent Pakistan (343 IPs) 11.3 percent Saudi Arabia (182 IPs) 6 percent Taiwan (169 IPs) 5.6 percent Thailand (140 IPs) 4.6 percent Sri Lanka (121 IPs) 4 percent China (82 IPs, including Hong Kong (12)) 2.7 percent Vietnam (80 IPs) 2.6 percent Indonesia (68 IPs) 2.2 percent Russia (68 IPs) 2.2 percent Technical Details As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality. Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications. Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words. Detection and Response This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware...
Posted on 14 November 2017 9:00 pm on www.us-cert.gov
Original release date: November 14, 2017 | Last revised: November 22, 2017 Systems Affected Network systems Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra . FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity. This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. For a downloadable copy of IOCs, see: IOCs ( .csv ) IOCs ( .stix ) NCCIC conducted analysis on two samples of FALLCHILL malware and produced a Malware Analysis Report (MAR). MAR-10135536-A examines the tactics, techniques, and procedures observed in the malware. For a downloadable copy of the MAR, see: MAR ( .pdf ) MAR IOCs ( .stix ) Description According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL. During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered. Technical Details FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1. Figure 1. HIDDEN COBRA Communication Flow FALLCHILL uses fake Transport Layer Security (TLS) communications, encoding the data with RC4 encryption with the following key: [0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82]. FALLCHILL collects basic system information and beacons the following to the C2: operating system (OS) version information, processor information, system name, local IP address information, unique generated ID, and media access control (MAC) address. FALLCHILL contains the following built-in functions for remote operations that provide various capabilities on a victim’s system: retrieve information about all installed disks, including the disk type and the amount of free space on the disk; create, start, and terminate a new process and its primary thread; search, read, write, move, and execute files; get and modify file or directory timestamps; change the current directory for a process or file; and delete malware and artifacts associated with the malware from the infected system. Detection and Response This alert’s IOC files provide HIDDEN COBRA indicators related to FALLCHILL. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware...
Posted on 14 November 2017 8:09 pm on www.us-cert.gov
Original release date: October 20, 2017 | Last revised: March 15, 2018 Systems Affected Domain Controllers File Servers Email Servers Overview This alert has been superseded by newer information. The old alert is provided below for historical reference only. For the newest version, please see TA18-074A . This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks. DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity. For a downloadable copy of IOC packages and associated files, see: TA17-293A_TLP_WHITE.csv TA17-293A_TLP_WHITE_stix.xml MIFR-10127623_TLP_WHITE.pdf MIFR-10127623_TLP_WHITE_stix.xml MIFR-10128327_TLP_WHITE.pdf MIFR-10128327_TLP_WHITE_stix.xml MIFR-10128336_TLP_WHITE.pdf MIFR-10128336_TLP_WHITE_stix.xml MIFR-10128830_TLP_WHITE.pdf MIFR-10128830_TLP_WHITE_stix.xml MIFR-10128883_TLP_WHITE.pdf MIFR-10128883_TLP_WHITE_stix.xml MIFR-10135300_TLP_WHITE.pdf MIFR-10135300_TLP_WHITE_stix.xml Contact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical assistance. Description Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict.  Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns. Analysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of specific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on September 6, 2017, provides additional information about this ongoing campaign.  This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational networks, which are referred throughout this alert as “intended target.” Technical Details The threat actors in this campaign employed a variety of TTPs, including: open-source reconnaissance, spear-phishing emails (from compromised legitimate accounts), watering-hole domains, host-based exploitation, industrial control system (ICS) infrastructure targeting, and ongoing credential gathering. Using Cyber Kill Chain for Analysis DHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. This section will provide a high-level overview of activity within this framework. Stage 1: Reconnaissance The threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors are actively accessing publicly available information hosted by organization-monitored networks. DHS further assesses that threat actors are seeking to identify information pertaining to network and organizational design, as well as control system capabilities, within organizations...
Posted on 21 October 2017 1:50 am on www.us-cert.gov
NCCIC/ICS-CERT is aware of a public report of buffer overflow vulnerabilities affecting Eaton ELCSoft, a PLC programming software for Eaton Logic Control (ELC) controllers. According to the public report, which was coordinated with ICS-CERT prior to its public release, researcher Ariele Caltabiano (kimiya) working with Trend Micro's Zero Day Initiative, identified that an attacker can leverage these vulnerabilities to execute arbitrary code in the context of the process. ICS-CERT has notified the affected vendor, who has reported that they are planning to address the vulnerabilities. No timeline has been provided. ICS-CERT is issuing this alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
Posted on 4 August 2017 10:11 pm on ics-cert.us-cert.gov
NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack.
Posted on 28 July 2017 10:34 pm on ics-cert.us-cert.gov
CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.
Posted on 25 July 2017 7:45 pm on ics-cert.us-cert.gov
Original release date: July 01, 2017 | Last revised: February 15, 2018 Systems Affected Microsoft Windows operating systems Overview This Alert has been updated to reflect the U.S. Government's public attribution of the "NotPetya" malware variant to the Russian military. Additional information may be found in a Statement from the White House Press Secretary . For more information related to NotPetya activity, go to https://www.us-cert.gov/grizzlysteppe . The scope of this Alert’s analysis is limited to the newest Petya malware variant that surfaced on June 27, 2017. This malware is referred to as “NotPetya” throughout this Alert. On June 27, 2017, NCCIC  was notified of Petya malware events occurring in multiple countries and affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files with extensions from a hard-coded list. Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in its propagation methods. The NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth technical analysis of the malware. In coordination with public and private sector partners, NCCIC is also providing additional indicators of compromise (IOCs) in comma-separated-value (CSV) form for information sharing purposes. Available Files: MIFR-10130295.pdf MIFR-10130295_stix.xml TA-17-181B_IOCs.csv Description NotPetya leverages multiple propagation methods to spread within an infected network. According to malware analysis, NotPetya attempts the lateral movement techniques below: PsExec - a legitimate Windows administration tool WMI - Windows Management Instrumentation, a legitimate Windows component EternalBlue - the same Windows SMBv1 exploit used by WannaCry EternalRomance - another Windows SMBv1 exploit Microsoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed the EternalBlue and EternalRomance lateral movement techniques. Technical Details NCCIC received a sample of the NotPetya malware variant and performed a detailed analysis. Based on the analysis, NotPetya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which means it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid. It behaves more like destructive malware rather than ransomware. NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods. The analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the “C:\” drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim’s unique key and Bitcoin wallet ID. The delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax accounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc’s development environment as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands, exfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat systems with M...
Posted on 1 July 2017 8:41 am on www.us-cert.gov
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01B Petya Malware Variant that was published July 5, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware.
Posted on 1 July 2017 12:09 am on ics-cert.us-cert.gov
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site.
Posted on 16 May 2017 2:16 am on ics-cert.us-cert.gov
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-102-01A BrickerBot Permanent Denial-of-Service Attack that was published April 12, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of open-source reports of “BrickerBot” attacks, which exploit hard-coded passwords in IoT devices in order to cause a permanent denial of service (PDoS). This family of botnets, which consists of BrickerBot.1 and BrickerBot.2, was described in a Radware Attack Report.
Posted on 12 April 2017 6:02 pm on ics-cert.us-cert.gov
NCCIC/ICS-CERT is aware of a public report of a directory traversal vulnerability with proof-of-concept (PoC) exploit code affecting the embedded webserver (“PST10 WebServer”) in Miele Professional PG 8528, a large capacity washer and disinfector used in hospitals and laboratory settings to disinfect medical and laboratory equipment. According to this report, the vulnerability is remotely exploitable.
Posted on 30 March 2017 5:10 pm on ics-cert.us-cert.gov
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-073-01 MEMS Accelerometer Hardware Design Flaws that was published March 14, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of public reporting of hardware design flaws in some capacitive micro-electromechanical systems (MEMS) accelerometer sensors, which are produced by the following manufacturers: Robert Bosch GmbH, STMicroelectronics, InvenSense Inc., Analog Devices Inc., and Murata Manufacturing Company.
Posted on 14 March 2017 4:10 pm on ics-cert.us-cert.gov